This is my first attempt at a file upload script... As of right now all I'm getting is "The file you attempted to upload is not allowed.". I've been trying to upload a .png and .doc file, and as you can see both of those are in the array.

$filename = $_FILES['file_to_upload']['name'];// Get the name of the file (including file extension).
$ext = strrchr($filename,'.');// get everything after the LAST .(dot)

echo $ext;
// Check if the filetype is allowed, if not DIE and inform the user.
if(!in_array($ext,$allowed_filetypes)){
die('The file you attempted to upload is not allowed.');
}

// Now check the filesize, if it is too large then DIE and inform the user.
if(filesize($_FILES['file_to_upload']['tmp_name']) > $max_filesize){
die('The file you attempted to upload is too large.');
}

This returns an associative array of information about the file. Then you can access the extension by storing it in a variable as thus:

$ext = $file_info['extension'];

My guess though is that your $ext variable is holding everything AFTER the fullstop, whereas your array contains extension strings holding the fullstop and the extension. So your query will not match up and return false. You could just delete all the dots from the array elements but I believe using my method is more secure as someone could upload file such as: corruptfile.php.jpg, and when that, they can execute malicious code. I was advised to use pathinfo() from someone on this forum in a previous thread of mine.

(Hope someone can elaborate better).

Hope this helps you out.

Kind regards,

LC.

Fou-Lu

08-15-2012, 12:16 AM

This enctype is incorrect: enctype="multi-part/form-data", it should be enctype="multipart/form-data".
Make sure you enable your error reporting while authoring:

ini_set('display_errors', 1);
error_reporting(E_ALL);

as it should inform you that there is no offset $_FILES['file_to_upload'].

BTW, this above is what I had in mind too. Originally I had put to replace echo $ext; with var_dump($ext);, but then I noticed that hyphen in the enctype that didn't belong.

HDRebel88

08-15-2012, 12:21 AM

What you could do is use the pathinfo function:

$file_info = pathinfo($_FILES['fileupload']['name']);

This returns an associative array of information about the file. Then you can access the extension by storing it in a variable as thus:

$ext = $file_info['extension'];

My guess though is that your $ext variable is holding everything AFTER the fullstop, whereas your array contains extension strings holding the fullstop and the extension. So your query will not match up and return false. You could just delete all the dots from the array elements but I believe using my method is more secure as someone could upload file such as: corruptfile.php.jpg, and when that, they can execute malicious code. I was advised to use pathinfo() from someone on this forum in a previous thread of mine.

echo $ext;
// Check if the filetype is allowed, if not DIE and inform the user.
if(!in_array($ext,$allowed_filetypes)){
die('The file you attempted to upload is not allowed.');
}

// Now check the filesize, if it is too large then DIE and inform the user.
if(filesize($_FILES['file_to_upload']['tmp_name']) > $max_filesize){
die('The file you attempted to upload is too large.');
}

Nope, that will have no effect. Passworded directories are done so at the level of .htaccess, which will have no bearing on accessing directly as a filesystem.

This filepath is no good: /documents/invest/files/. This is an absolute filepath, but its 100% guaranteed that documents does not exist off of root /. What that likely should be is the root path of your http documents home.
I myself would attach to it by translating the path off of a relative one to this script file. $_SERVER['DOCUMENT_ROOT'] may exist, and can be used to hinge off of /documents, but $_SERVER['DOCUMENT_ROOT'] will only ever exist in an http environment (and also not theoretically guaranteed to exist; I've never seen it not populated by the host machine at least in apache).

So the problem is definitely the path.
This is closer to what I would do:

But that means that in a subdirectory under this script is /documents, but this doesn't really jive with what I believe your intended path is in the first block of code.
So where is this script relative to the one under documents/invest/files?

HDRebel88

08-15-2012, 02:23 AM

Nope, that will have no effect. Passworded directories are done so at the level of .htaccess, which will have no bearing on accessing directly as a filesystem.

This filepath is no good: /documents/invest/files/. This is an absolute filepath, but its 100% guaranteed that documents does not exist off of root /. What that likely should be is the root path of your http documents home.
I myself would attach to it by translating the path off of a relative one to this script file. $_SERVER['DOCUMENT_ROOT'] may exist, and can be used to hinge off of /documents, but $_SERVER['DOCUMENT_ROOT'] will only ever exist in an http environment (and also not theoretically guaranteed to exist; I've never seen it not populated by the host machine at least in apache).

So the problem is definitely the path.
This is closer to what I would do:

But that means that in a subdirectory under this script is /documents, but this doesn't really jive with what I believe your intended path is in the first block of code.
So where is this script relative to the one under documents/invest/files?

Right now the path to the script is: root/area51entertainment/upload.php

upload_process.php is at: root/area51entertainment/upload_process.php

Eventually the upload script will be integrated with index.php at the path of: root/area51entertainment/index.php

The path to the files folder is: root/area51entertainment/documents/invest/files

/area51entertainment is a sub-folder off my main site

I'm on 1AND1 so I don't the actually folder structure above the root of my primary domain name.

Fou-Lu

08-15-2012, 04:05 PM

That's fine, but using the code you have to resolve relative should work (or you can simply combine them into $upload_path = __DIR__ . '/documents/invest/files';).

You may want to verify the existence of that directory first:

printf('Check to see if the path %s is valid', realpath($upload_path));
if (file_exists($upload_path) && is_dir($upload_path))
{
printf('%s is a valid directory with permissions: %o', $upload_path, fileperms($upload_path));
}